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Abstract 

Recursive relational specifications are commonly used to describe the computational struc- 
ture of formal systems. Recent research in proof theory has identified two features that 
facilitate direct, logic-based reasoning about such descriptions: the interpretation of atomic 
judgments through recursive definitions and an encoding of binding constructs via generic 
judgments. However, logics encompassing these two features do not currently allow for the 
definition of relations that embody dynamic aspects related to binding, a capability needed 
in many reasoning tasks. We propose a new relation between terms called nominal abstrac- 
tion as a means for overcoming this deficiency. We incorporate nominal abstraction into a 
rich logic also including definitions, generic quantification, induction, and co-induction that 
we then prove to be consistent. We present examples to show that this logic can provide 
elegant treatments of binding contexts that appear in many proofs, such as those establish- 
ing properties of typing calculi and of arbitrarily cascading substitutions that play a role in 
reducibility arguments. 
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1. Introduction 

This paper contributes to an increasingly important approach to using relational speci- 
fications for formalizing and reasoning about a wide class of computational systems. This 
approach, whose theoretical underpinnings are provided by recent ideas from proof theory 
and proof search, has been used with success in codifying within a logical setting the meth- 
ods of structural operational semantics that are often employed in describing aspects such 
as the evaluation and type assignment characteristics of programming languages. The main 
ingredients of this approach are the use of terms to represent the syntactic objects that are 
of interest in the relevant systems and the refiection of their dynamic aspects into judgments 
over such terms. 

One common application of the method has utilized recursive relational specifications or 
judgments over algebraic terms. We highlight three stages of development in the kinds of 
judgments that have been employed in this context, using the transition semantics for CCS 
as a motivating example 

(1) Logic programming, may behavior Logic programming languages allow for a natural 
encoding and animation of relational specifications. For example, Horn clauses provide 
a simple and immediate encoding of CCS labeled transition systems and unification and 
backtracking provide a means for exploring what is reachable from a given process. An 
early system based on this observation was Centaur [ij, which used Prolog to animate the 
operational semantics and typing judgments of programming languages. Traditional logic 
programming is, however, limited to describing only may behavior judgments. For example, 
using it, we are not able to prove that a given CCS process P cannot make a transition. 
Since this negative property is logically equivalent to proving that P is bisimilar to the null 
process 0, such systems cannot also capture bisimulation. 

(2) Model checking, must behavior One way to account for must behavior is to allow 
for the unfolding of specifications in both positive and negative settings. Proof theoretic 
techniques that provided for such a treatment were developed in the early 1990's 0, |^ and 
extended in subsequent work j^. In the basic form, these techniques require an unfolding 
until termination, and are therefore applicable to recursive definitions that are noetherian. 
Specifications that meet this restriction and, hence, to which this method is applicable, 
include bisimulation for finite processes and many model checking problems. As an example, 
bisimulation for finite CCS can be given an immediate and declarative treatment using these 
techniques 

(3) Theorem proving, infinite behavior Reasoning about all members of a domain or about 
possibly infinite executions requires the addition of induction and co-induction to the above 
framework of recursive definitions. Incorporating induction in proof theory goes back to 
Gentzen. The work in j^, 0, [sl provides induction and co-induction rules associated with 
recursive relational specifications. In such a setting, one can prove, for example, that (strong) 
bisimulation in CCS is a congruence. 

The systems that are to be specified and reasoned about often involve terms that use 
names and binding. An elegant way to treat such terms is to encode them as A-terms and 
equate them using the theory of a, /3, and ?7-conversion. The three stages discussed above 
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need to be extended to treat representations based on such terms. The manner in which this 
has been done is illustrated next using the relational specification of the vr-calculus [oj. 

(1) Logic programming, X-tree syntax Higher-order generalizations of logic programming, 
such as higher-order hereditary Harrop formulas [lol] and the dependently typed LF [111 ], 
adequately capture may behavior for terms containing bindings. In particular, the presence 
of hypothetical and universal judgments supports the A-tree syntax [l2| approach to higher- 



order abstract syntax 13|. The logic programming languages AProlog [14j| and Twelf 15 



support such syntax representations and can be used to provide simple specifications of, for 
example, reachability in the vr-calculus. 

(2) Model checking, V -quantification While the notions of universal quantification and 
generic judgment are often confiated, a satisfactory treatment of must behavior requires 
splitting apart these concepts. The V-quantifier [16| was introduced to encode generic judg- 
ments directly. To illustrate the need for this split, consider the formula Vi(7.-i(Ax.a; = Xx.w). 
If we think of A-terms as denoting abstracted syntax (terms modulo a-conversion) , this for- 
mula should be provable (variable capture is not allowed in logically sound substitution). On 
the other hand, if we think of A-terms as describing functions, then the equation Xy.t = Xy.s 
is equivalent to Wy.t = s. But then our example formula is equivalent to 'iw.-Nx.x = w, 
which should not be provable since it is not true in a model with a single element domain. 
To think of A-terms syntactically instead, we treat Xy.t = Xy.s as equivalent to Vy.t = s. 
In this case, our example formula is equivalent to "^w.-iVx.x = w, which is provable [16|]. 
Using a representation based on this new quantifier, the vr-calculus process {i'x).[x = w].tvx 
can be proved to be bisimilar to 0. Bedwyr 17| is a model checker that treats such generic 
judgments. 

(3) Theorem proving, equality of generic judgments When there is only finite behavior, 
logics for recursive definitions do not need the cut or initial rules, and, consequently, there 
is no need to know when two judgments are the same. On the other hand, the treatment 
of induction and co-induction relies on the ability to make such identifications: e.g., when 
carrying out an inductive argument over natural numbers, one must be able to recognize when 
the case for i + 1 has been reduced to the case for i. This identity question is complicated by 
the presence of the V-quantifier: for example, the proof search treatment of such quantifiers 
involves instantiation with generic objects whose choice of name is arbitrary and this must be 
factored into assessments of equality. The LC^ proof system [l8| provides a way to address 
this issue and uses this to support inductive reasoning over recursive definitions. Using 
LC^ encodings extended with co-induction (as described in this paper), one can prove, for 
instance, that (open) bisimulation is a vr-calculus congruence. 

The key observation underlying this paper is that logics like LC^ are still missing an 
ingredient that is important to many reasoning tasks. Within these logics, the V-quantifier 
can be used to control the structure of terms relative to the generic judgments in which they 
occur. However, these logics do not possess a complementary device for simply and pre- 
cisely characterizing such structure within the logic. Consider, for example, the natural way 



to specify typing of A-terms in this setting [19[. The representation of A-terms within this 



approach uses (meta-level) abstracted variables to encode object-level bound variables and 
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V-bound variables (also called here nominal constants) to encode object-level free variables. 
Conceptually, the type specification uses recursion over the representation of A-terms, trans- 
forming abstracted variables into nominal constants, and building a context that associates 
nominal constants with types. Now suppose that the hst [{xi,ti), . . . , (x„,tn)] represents a 
particular context. The semantics of the V-quantifier ensures that each Xi in this list is a 
unique nominal constant. This property is important to the integrity of the type assignment. 
Moreover, making it explicit can also be important to the reasoning process; for example, a 
proof of the uniqueness of type assignment would draw critically on this fact. Unfortunately, 
LC^ and related logics do not possess a succinct and general way to express such a property. 

This paper describes a way of realizing this missing feature, thereby yielding a logic 
that represents a natural endpoint to this line of development. The particular means for 
overcoming the deficiency is a technical device called a nominal abstraction. In its essence, 
nominal abstraction is an extension of the equality relation between terms that allows for 
the characterization also of occurrences of nominal constants in such terms. Combining this 
relation with definitions, we will, for instance, be able to specify a property of the form 

Vxi ■ ■ ■ Va;„. cntx [{xi,ti), (x„,t„)] 

which effectively asserts that cntx is true of a list of type assignments to n distinct nominal 
constants. By exploiting the recursive structure of definitions, cntx can further be defined so 
that the length of the list is arbitrary. We integrate nominal abstraction into a broader logical 
context that includes also the ability to interpret definitions inductively and co-induct ively. 
The naturalness of nominal abstraction is clear from the modular way in which we are able 
to define and prove consistent this extended logic. We present examples of specification and 
reasoning to bring out the usefulness of the logic we have developed, focusing especially on 
the capabilities resulting from nominal abstraction. 

The rest of the paper is structured as follows. We develop the logic Q, that is a rather 
rich logic, in the next three sections. Section [2] presents the rules for the core fragment 
of Q that is inherited from LC^. Section [3] introduces the nominal abstraction relation 
with its associated inference rules. Finally, Section H] completes the framework by adding 
the mechanism of recursive definitions together with the possibility of interpreting these 
inductively or co-inductively. A central technical result of this paper is the cut-elimination 
theorem for Q, which is presented in Section O an immediate consequence of this theorem is 
the consistency of Q. Section [6] introduces a more fiexible and suggestive style for recursive 
definitions that allows one to directly define generic judgments: such definitions allow for 
the use of "V in the head." We show that this style of definition can be accounted for by 
using the nominal abstraction predicate. Section [7] presents a collection of examples that 
illustrate the expressiveness of nominal abstraction in ^; a reader who is interested in seeing 
motivating examples first might peruse this section before digesting the detailed proofs in 
the earlier sections. Section [8] compares the development in this paper with recent related 
work on specification and reasoning techniques. 



This paper extends the conference paper [20| in two important ways. First, nominal 



abstraction is used here as a more general and modular method for obtaining the benefits 
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of allowing V-quantification in the "heads of definitions" . Second, the modularity provided 
by nominal abstraction is exploited to allow recursive definitions to be read inductively and 

was called Q: this name is reused here for a richer logic. 

and 



co-induct ively. The logic in [20 



The logic in this paper has also been implemented in the Abella theorem proyer 
that implementation has been used to prove theorems in a number of topics 



21 



19 



2. A Logic with Generic Quantification 



The core logic underlying Q is obtained by extending an intuitionistic and predicative 
subset of Church's Simple Theory of Types with a treatment of generic judgments. The 
encoding of generic judgments is based on the quantifier called V (pronounced nabla) intro- 
duced by Miller and Tiu 16|] and further includes the structural rules associated with this 



quantifier in the logic LC^ described by Tiu [18|]. While it is possible to develop a classical 



variant of Q as well, we do not follow that path here, observing simply that the choice be- 
tween an intuitionistic and a classical interpretation can lead to interesting differences in the 
meaning of specifications written in the logic. For example, it has been shown that the spec- 
ification of bisimulation for the vr-calculus within this logic corresponds to open bisimulation 
under an intuitionistic reading and to late bisimulation under a classical reading 22 . 



2.1. The basic syntax 



Following Church 23|], terms are constructed from constants and variables using abstrac- 
tion and application. All terms are assigned types using a monomorphic typing system; 
these types also constrain the set of well-formed expressions in the expected way. The col- 
lection of types includes o, a type that corresponds to propositions. Well-formed terms of 
this type are also called formulas. We assume that a does not appear in the argument types 
of any nonlogical constant. Two terms are considered to be equal if one can be obtained 
from the other by a sequence of applications of the a-, /3- and 77-conversion rules, i.e., the 
A-conversion rules. This notion of equality is henceforth assumed implicitly wherever there 
is a need to compare terms. Logic is introduced by including special constants representing 
the propositional connectives T, ±, A, V, D and, for every type r that does not contain o, 
the constants V,- and 3^ of type (r — )■ o) — i- 0. The binary propositional connectives are 
written as usual in infix form and the expressions \/rX.B and 3tX.B abbreviate the formulas 
\/r\x.B and 3r\x.B, respectively. Type subscripts will be omitted from quantified formulas 
when they can be inferred from the context or are not important to the discussion. We also 
use a shorthand for iterated quantification: if Q is a quantifier, the expression Qxi, . . . , x„.P 
will abbreviate Qxi . . . Qxn-P- 

The usual inference rules for the universal quantifier can be seen as equating it to the 
conjunction of all of its instances: that is, this quantifier is treated extensionally. There are 
several situations where one wishes to treat an expression such as "i?(a;) holds for all x" as 
a statement about the existence of a uniform argument for every instance rather than the 
truth of a particular property for each instance 16|; such situations typically arise when 



one is reasoning about the binding structure of formal objects represented using the X-tree 



syntax [12| version of higher-order abstract syntax [13||. The V-quantifier serves to encode 
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judgments that have this kind of a "generic" property associated with them. Syntactically, 
this quantifier corresponds to including a constant of type (r — )• o) — )■ o for each type r 
not containing As with the other quantifiers, V rX.B abbreviates Vt-Ax.-B and the type 
subscripts are often suppressed for readability. 

2.2. Generic judgments and V -quantification 

Towards understanding the V-quantifier, let us consider the rule for typing abstractions 
in the simply-typed A-calculus as an example of something that we might want to encode 
within Q. This rule has the form 

^'^•""^^■^ x^dom{T) 



r h {\x:a.t) : a l3 

In the conclusion of this rule, the variable x is bound and its scope is clearly delimited 
by the abstraction that binds it. It appears that x is free in the premise of the rule, but 
it is in fact implicitly bound over the judgment whose subcomponents, specifically F, also 
constrain its identity. One way to precisely encode this rule in a meta-logic is to introduce 
an explicit quantifier over x in the upper judgment; in a proof search setting, the encoding 
of the rule can then be understood as one that moves a term level binding to a formula level 
binding. However, the quantifier that is used must have special properties. First, it should 
enforce a property of genericity on proofs: we want the associated typing judgment to have 
a derivation that is independent of the choice of term for x. Second, we should be able to 
assume and to use the property that instantiation terms chosen for x are distinct from other 
terms appearing in the judgment, in particular, in F. 

Neither the existential nor the universal quantifier have quite the characteristics needed 



for X in the encoding task considered. Miller and Tiu [16[ therefore introduced the V- 
quantifier for this purpose. Using this quantifier, the typing rule can be represented by a 
formula like \/T,t,a, f3.(Vx.{T,x : a \- tx : (3)) D (F h (Ax : a.tx) : a — )■ /3) where t has 
a higher-order type which allows its dependency on x to be made explicit. The inference 
rules associated with the V-quantifier are designed to ensure the adequacy of such an en- 
coding: the formula Vx.F, also called a generic judgment, must be established by deriving 
F assuming x to be a completely generic variable and in deriving VxVy.F it is assumed 
that the instantiations for x and y are distinct. In the logic Q, we shall assume two fur- 
ther "structural" properties for the V-quantifier which fiow naturally from the application 
domains of interest. First, we shall allow for V -strengthening, i.e., we will take Vx.F and 
F to be equivalent if x does not appear in F. Second, we shall take the relative order of 
V-quantifiers to be irrelevant, i.e., we shall permit a V -exchange principle; the formulas 
VxVy.F and VyVx.F will be considered to be equivalent. These assumptions facilitate 
a simplification of the inference rules, allowing us to realize generic judgments through a 
special kind of constants called nominal constants. 



^ We may choose to allow V-quantification at fewer types in particular applications; such a restriction 
may be useful in adequacy arguments for reasons we discuss later. 
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Figure 1: The core rules of Q 



2.3. A sequent calculus presentation of the core logic 

The logic Q assumes that the collection of constants is partitioned into the set C of 
nominal constants and the set /C of usual, non-nominal constants. We assume the set C 
contains an infinite number of nominal constants for each type at which V quantification 
is permitted. We define the support of a term (or formula), written supp(t), as the set of 
nominal constants appearing in it. A permutation of nominal constants is a type-preserving 
bijection vr from C to C such that {x \ 7r(x) ^ x} is finite. The application of a permutation 
TT to a term t, denoted by n.t, is defined as follows: 

TT.a = 7r(a), if a G C vr.c = c, if c ^ C is atomic 

7r.(Ax.M) = Ax.(7r.M) 7r.(M A^) = (vr.M) (ir.N) 

We extend the notion of equality between terms to encompass also the application of per- 
mutations to nominal constants appearing in them. Specifically, the relation B ^ B' holds 
if there is a permutation vr such that B A-converts to tt.B'. Since A-convertibility is an 
equivalence relation and permutations are invertible and composable, it follows that ~ is an 
equivalence relation. 

The rules defining the core of Q are presented in Figure [T] Sequents in this logic have 
the form E : F h C where F is a multiset and the signature E contains all the free variables 
of F and C. In keeping with our restriction on quantification, we assume that o does not 
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appear in the type of any variable in E. The expression B\t/x\ in the quantifier rules denotes 
the capture- avoiding substitution of t for x in the formula B. In the V£ and VIZ rules, a 
denotes a nominal constant of an appropriate type. In the 3£ and V7^ rule we use raising 
(il l to encode the dependency of the quantified variable on the support of B; the expression 
[h c) in which /i is a fresh eigenvariable is used in these two rules to denote the (curried) 
application of h to the constants appearing in the sequence c. The V£ and 37^ rules make 
use of judgments of the form S,/C,C h t : r. These judgments enforce the requirement 
that the expression t instantiating the quantifier in the rule is a well-formed term of type r 
constructed from the eigenvariables in S and the constants in /C UC Notice that in contrast 
the \/TZ and 3£ rules seem to allow for a dependency on only a restricted set of nominal 
constants. This asymmetry is not, however, significant: a consequence of Corollary [20] in 
Section Ois that the dependency expressed through raising in the latter rules can be extended 
to any number of nominal constants that are not in the relevant support set without affecting 
the provability of sequents. 

Equality modulo A-conversion is built into the rules in Figure [H and also into later 
extensions of this logic, in a fundamental way: in particular, proofs are preserved under 
the replacement of formulas in sequents by ones to which they A-convert. A more involved 
observation is that we can replace a formula i? in a sequent by another formula B' such that 
B B' without affecting the provability of the sequent or even the very structure of the 
proof. As a particular example, if a and h are nominal constants, then the following three 
sequents are all derivable: Pa\-Pa, Pb\-Pb, and P a\- P b. The last of these examples 
makes clear that nominal constants represent implicit quantification whose scope is limited 
to individual formulas in a sequent rather than ranging over the entire sequent. For the core 
logic, this observation follows from the form of the id rule and the fact that permutations 
distribute over logical structure. We shall prove this property explicitly for the full logic in 
Section [51 

The treatment of V-quantification via nominal constants also validates the V-exchange 
and V-strengthening principles discussed earlier. It is interesting to note that the latter 
principle implies that every type at which one is willing to use V-quantification is non- 
empty and, in fact, contains an unbounded number of members. For example, the formula 
3^x.T is always provable, even if there are no closed terms of type r because this formula 
is equivalent to VtV-^tX-T, which is provable. Similarly, for any given n > 1, the following 
formula is provable 



3. Characterizing Occurrences of Nominal Constants 

We are interested in adding to our logic the capability of characterizing occurrences of 
nominal constants within terms and also of analyzing the structure of terms with respect to 
such occurrences. For example, we may want to define a predicate called name that holds of 
a term exactly when that term is a nominal constant. Similarly, we might need to identify 
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a binary relation called fresh that holds between two terms just in the case that the first 
term is a nominal constant that does not occur in the second term. Towards supporting such 
possibilities, we define in this section a special binary relation called nominal abstraction and 
then present proof rules that incorporate an understanding of this relation into the logic. A 
formalization of these ideas requires a careful treatment of substitution. In particular, this 
operation must be defined to respect the intended formula level scope of nominal constants. 
We begin our discussion with an elaboration of this aspect. 

3.1. Substitutions and their interaction with nominal constants 

The following definition reiterates a common view of substitutions in logical contexts. 

Definition 1. A substitution is a type preserving m,apping from variables to term,s that is 
the identity at all but a finite number of variables. The domain of a substitution is the set of 
variables that are not mapped to themselves and its range is the set of terms resulting from 
applying it to the variables in its domain. We write a substitution as {ti/xi, . . . , tn/xn} where 
list of variables that contains the domain of the substitution and ti, . . . , t„ is 
the value of the map on these variables. The support of a substitution 9, written as supp(^^), 
is the set of nominal constants that appear in the range of 6. The restriction of a substitution 
6 to the set of variables written as 6 ^ T., is a mapping that is like 9 on the variables in 
E and the identity everywhere else. 

A substitution essentially calls for the replacement of variables by their associated terms 
in any context to which it is applied. A complicating factor is that we will want to consider 
substitutions in which nominal constants appear in the terms that are to replace particular 
variables. Such a substitution will typically be determined relative to one formula in a 
sequent but may then have to be applied to other formulas in the same sequent. In doing this, 
we have to take into account the fact that the scopes of the implicit quantifiers over nominal 
constants are restricted to individual formulas. Thus, the logically correct application of a 
substitution should be accompanied by a renaming of these nominal constants in the term 
being substituted into so as to ensure that they are not confused with the ones appearing in 
the range of the substitution. For example, consider the formula pax where a is a nominal 
constant and a; is a variable; this formula is intended to be equivalent to Va.p a x. If we 
were to substitute f aior x naively into it, we would obtain the formula p a {f a)). However, 
this results in an unintended capture of a nominal constant by an (implicit) quantifier as a 
result of a substitution. To carry out the substitution in a way that avoids such capture, we 
should first rename the nominal constant a in p a a; to some other nominal constant b and 
then apply the substitution to produce the formula p b {f a). 

Definition 2. The ordinary application of a substitution 9 to a term B is denoted by B[9] 
and corresponds to the replacement of the variables in B by the terms that 9 maps them to, 
making sure, as usual, to avoid accidental binding of the variables appearing in the range of 
9. More precisely, if 9 — {ti/xi, . . . , tn/xn\, then B[9] is the term {Xxi . . . Xxn-B) ti . . . tn,' 
this term is, of course, considered to be equal to any other term to which it \-converts. By 
contrast, the nominal capture avoiding application of 9 to B is written as Bl9} and is defined 
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as follows. Assuming that it is a permutation of nominal constants that maps those appearing 
in supp(-B) to ones not appearing in supp(^), let B' = ti.B. Then B[6l = B'[6]. 

The notation B[6] generalizes the one used in the quantifier rules in Figure [H This 
ordinary notion of substitution is needed to define such rules and it is used in the proof 
theory. As we will see in Section [5l however, it is nominal capture avoiding substitution 
that is the logically correct notion of substitution for Q since it preserves the provability of 
sequents. For this reason, when we speak of the application of a substitution in an unqualified 
way, we shall mean the nominal capture avoiding form of this notion. It is interesting to 
note that as the treatment of syntax becomes richer and more abstract, the natural notions 
of equality of expressions and of substitution also change. When the syntax of terms is 
encoded as trees, term equality is tree equality and substitution corresponds to "grafting." 
When syntax involves binding operators (as in first-order formulas or A-terms), then it is 
natural for equality to become A-convertibility and for substitutions to be "capture-avoiding" 
in the usual sense. Here, we have introduced into syntax the additional notion of nominal 
constants, for which we need to upgrade equality to the ;^-relation and substitution to the 
one which avoids the capture of nominal constants. 

The definition of the nominal capture avoiding application of a substitution is ambiguous 
in that we do not uniquely specify the permutation to be used. We resolve this ambiguity 
by deeming as acceptable any permutation that avoids confiicts. As a special instance of the 
lemma below, we see that for any given formula B and substitution 6, all the possible values 
for -B|6'] are equivalent modulo the ~ relation. Moreover, as we show in Section [5|, formulas 
that are equivalent under ^ are interchangeable in the contexts of proofs. 

Lemma 3. Ift^t' then ^ t'lOj. 

Proof. Let t be A-convertible to ni.f, let = {7i2.t)[9] where supp(7r2.t) fl supp(6') = 0, 
and let t'l9] be A-convertible to {TT3.t')[9] where supp(7r3.t') nsupp(6') = 0. Then we define a 
function vr partially by the following rules: 

1. 7r(c) = 7r2.7ri.7r3""'^(c) if c G supp(7r3.t') and 

2. 7r(c) = c if c G supp(^^). 

Since supp(7r3.t')nsupp(6') = 0, these rules are not contradictory, i.e., this (partial) function is 
well-defined. The range of the first rule is supp(7r2.7ri.7r^^.7r3.t') = supp(7r2.7ri.t') = supp(7r2.t) 
which is disjoint from the range of the second rule, supp(^). Since the mapping in each rule 
is determined by a permutation, these rules together define a one-to-one partial mapping 
that can be extended to a bijection on C. We take any such extension to be the complete 
definition of tt that must therefore be a permutation. 

To prove that ^16*] ^ t'lOj it suffices to show that if t is A-convertible to TCi.t' then 
{n2.t)[9] is A-convertible to 7r.((7r3.t')[6']). We will prove this by induction on the structure 
of t'. Permutations and substitutions distribute over the structure of terms, thus the cases 
for when t' is an abstraction or application follow directly from the induction hypothesis. 
If t' is a nominal constant c then {'n'2.t)[6] must be A-convertible to {tt2.tti.c)[6] = 7r2.7ri.c. 
Also, 7r.((7r3.t')[^^]) must be A-convertible to tctt^.c. Further, in this case the first rule for 
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vr applies which means n.ir^.c = 712.711.71^-^ .n^.c = 712.1^1.0. Thus (7r2.t)[^] is A-convertible to 
7r.((7r3.t')[^^]). Finally, suppose t' is a variable x. In this case t must be A-convertible to x so 
that we must show x[6] A-converts to 7r.(x[^]). If x does not have a binding in 6 then both 
terms are equal. Alternatively, if x[6] = s then tt.s = s follows from an inner induction on s 
and the second rule for vr. Thus {7r2.t)[9] A-converts to 7r.((7r3.t')[^]), as is required. □ 

We shall need to consider the composition of substitutions later in this section. The 
definition of this notion must also pay attention to the presence of nominal constants. 

Definition 4. Given a substitution 9 and a permutation tt of nominal constants, let 7T.6 
denote the substitution that is obtained by replacing each t/x in 6 with {7i.t)/x. Given any 
two substitutions 6 and p, let 60 p denote the substitution that is such that B[6o p] = B[6][p\. 
In this context, the nominal capture avoiding composition of 9 and p is written as 6 • p 
and defined as follows. Let tc be a permutation of nominal constants such that supp(7r.^) is 
disjoint from supp(p). Then 6 • p = (tt.O) o p. 

The notation 6* o p in the above definition represents the usual composition of 6 and p 
and can, in fact, be given in an explicit form based on these substitutions. Thus, 6 • p can 
also be presented in an explicit form. Notice that our definition of nominal capture avoiding 
composition is, once again, ambiguous because it does not fix the permutation to be used, 
accepting instead any one that satisfies the constraints. However, as before, this ambiguity is 
harmless. To understand this, we first extend the notion of equivalence under permutations 
to substitutions. 

Definition 5. Two substitutions 9 and p are considered to be permutation equivalent, written 
9 p, if and only if there is a permutation of nominal constants vr such that 9 = Tr.p. This 
notion of equivalence may also be parameterized by a set of variables E as follows: 9 P 
just in the case that ^ E p E. 

It is easy to see that all possible choices for 9 • p are permutation equivalent and that 
if (pi ^ ip2 then -B[v5i] ~ -S|v?2] for any term B. Thus, if our focus is on provability, the 
ambiguity in Definition H] is inconsequential by a result to be established in Section [5l As a 
further observation, note that i?[6' • p] i?[6'][p] for any B. Hence our notion of nominal 
capture avoiding composition of substitutions is sensible. 

The composition operation can be used to define an ordering relation between substitu- 
tions: 

Definition 6. Given two substitutions p and 9, we say p is less general than 9, notated 
as p < 9, if and only if there exists a a such that p ^ 9 • a. This relation can also be 
parametrized by a set of variables: p is less general than 9 relative to E, written as p <s 9, 
if and only z/ptE<6'tE. 

The notion of generality between substitutions that is based on nominal capture avoiding 
composition has a different flavor from that based on the traditional form of substitution 
composition. For example, if a is a nominal constant, the substitution {a/x} is strictly less 
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general than {a/x,y'a/y} relative to S for any E which contains x and y. To see this, note 
that we can compose the latter substitution with {{\z.y) /y'} to obtain the former, but the 
naive attempt to compose the former with {y'a/y} yields {b/x,y'a/y} where 6 is a nominal 
constant distinct from a. In fact, the "most general" solution relative to S containing {a/x} 
will be {a/x} U {z'a/z \ z G 

3.2. Nominal Abstraction 

The nominal abstraction relation allows implicit formula level bindings represented by 
nominal constants to be moved into explicit abstractions over terms. The following notation 
is useful for defining this relationship. 

Notation 7. Let t be a term, let ci, . . . ,Cn be distinct nominal constants that possibly occur 
in t, and let yi, . . . ,yn be distinct variables not occurring in t and such that, for 1 < i < n, 
yi and Ci have the same type. Then we write Aci . . . Xcn-t to denote the term Xyi . . . Xyn-t' 
where t' is the term obtained from t by replacing Ci by y^ for 1 < i < n. 

There is an ambiguity in the notation introduced above in that the choice of variables 
?/!,...,?/„ is not fixed. However, this ambiguity is harmless: the terms that are produced by 
acceptable choices are all equivalent under a renaming of bound variables. 

Definition 8. Let n > and let s and t be terms of type ri — ■ ■ ■ — t- r„ — )■ r and t, 
respectively; notice, in particular, that s takes n arguments to yield a term of the same type 
as t. Then the expression s >t is a formula that is referred to as a nominal abstraction of 
degree n or simply as a nominal abstraction. The symbol > is used here in an overloaded 
way in that the degree of the nominal abstraction it participates in can vary. The nominal 
abstraction s >t of degree n is said to hold just in the case that s X-converts to Xci . . . Cn-t 
for some nominal constants Ci, . . . , c„. 

Clearly, nominal abstraction of degree is the same as equality between terms based 
on A-conversion, and we will therefore use = to denote this relation in that situation. In 
the more general case, the term on the left of the operator serves as a pattern for isolating 
occurrences of nominal constants. For example, if p is a binary constructor and Ci and C2 
are nominal constants, then the nominal abstractions of the following first row hold while 
those of the second do not. 



The symbol > corresponds, at the moment, to a mathematical relation that holds between 
pairs of terms as explicated by Definition |8l We now overload this symbol by treating it 
also as a binary predicate symbol of ^. In the next subsection we shall add inference rules 
to make the mathematical understanding of > coincide with its syntactic use as a predicate 
in sequents. It is, of course, necessary to be able to determine when we mean to use > in 
the mathematical sense and when as a logical symbol. When we write an expression such as 



Xx.x > ci 
Xx.x ^ p Ci 02 



Xx.p X C2^p Ci 02 
Xx.p X 02 ^ P 02 Ci 



Xx.Xy.p X y > p oi 02 
Xx.Xy.p X y ^ p Oi Oi 
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s >t without qualification, this should be read as a logical formula whereas if we say that 
"s > t holds" then we are referring to the abstract relation from Definition [HI We might also 
sometimes use an expression such as "(s > holds." In this case, we first treat s >t 
as a formula to which we apply the substitution ^ in a nominal capture avoiding way to 
get a (syntactic) expression of the form s' > t' . We then read > in the mathematical sense, 
interpreting the overall expression as the assertion that "s' > t' holds." Note in this context 
that s >t constitutes a single formula when read syntactically and hence the expression 
(s > t)l9} is, in general, not equivalent to the expression s[6'] > t|6']. 

In the proof-theoretic setting, nominal abstraction will be used with terms that contain 
free occurrences of variables for which substitutions can be made. The following definition 
is relevant to this situation. 

Definition 9. A substitution 9 is said to he a solution to the nominal abstraction s>t just 
in the case that (s > t)\6\ holds. 

Solutions to a nominal abstraction can be used to provide rich characterizations of the 
structures of terms. For example, consider the nominal abstraction {Xx. fresh x T) > S in 
which T and S are variables and fresh is a binary predicate symbol. Any solution to this 
problem requires that S be substituted for by a term of the form fresh a R where a is a 
nominal constant and i? is a term in which a does not appear, i.e., a must be "fresh" to R. 

An important property of solutions to a nominal abstraction is that these are preserved 
under permutations to nominal constants. We establish this fact in the lemma below; this 
lemma will be used later in showing the stability of the provability of sequents with respect 
to the replacement of formulas by ones they are equivalent to modulo the ~ relation. 

Lemma 10. Suppose ~ {s'>t'). Then s>t and s'>t' have exactly the same solutions. 

In particular, s >t holds if and only if s' > t' holds. 

Proof. We prove the particular result first. It suffices to show it in the forward direction 
since ~ is symmetric. Let tt be a permutation such that the expression s' > t' A-converts to 
7r.(s > t). Now suppose s>t holds since s A-converts to Xc.t. Then an inner induction on t' 
shows that s' A-converts to A(7r.c).t' where vr.c is the result of applying vr to each element in 
the sequence c. Thus s' > t' holds. 

For the general result it again suffices to show it in one direction, i. e., that all the solutions 
of s>t are solutions to s'>t' . Let 6* be a substitution such that (s>i:)[^] holds. By Lemma [3l 
(s > t)\6\ ^ (s' > When the substitutions are carried out, this relation has the same 

form as the particular result from the first half of this proof, and thus (s' > t')\9\ holds. □ 

3. 3. Proof rules for nominal abstraction 

We now add the left and right introduction rules for > that are shown in Figure [2] to link 
its use as a predicate symbol to its mathematical interpretation. The expression in the >£ 
rule denotes the application of a substitution 6 = {ti/xi, . . . , t„/a;„} to the signature S that 
is defined to be the signature that results when removing from S the variables {xi, . . . ,Xn} 
and then adding every variable that is free in any term in {ti, . . . ,tn}- Notice also that in 
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{^9 : r|^] h Cl9j \9isa solution to (s > t)} 



e 



>7^, s > t holds 



S:r,s>th(:7 



s : r h s >t 



Figure 2: Nominal abstraction rules 



{T.9 : r|0] h CI^] I 9 G CSArAS(S, s,t)}, 
E : r,s>il-C 



e 



^^CSNAS 



Figure 3: A variant of based on CSNAS 



the same inference rule the operator |^] is applied to a multiset of formulas in the natural 
way: r[6'] = | B G F}. Note that the >C rule has an a priori unspecified number 

of premises that depends on the number of substitutions that are solutions to the relevant 
nominal abstraction. If s >t expresses an unsatisfiable constraint, meaning that it has no 
solutions, then the premise of >C is empty and the rule provides an immediate proof of its 
conclusion. 

The >C and >TZ rules capture nicely the intended interpretation of nominal abstraction. 
However, there is an obstacle to using the former rule in derivations: this rule has an infinite 
number of premises any time the nominal abstraction s>t has a solution. We can overcome 
this difficulty by describing a rule that includes only a few of these premises but in such way 
that their provability ensures the provability of all the other premises. Since the provability 
of r h C implies the provability of r[6'] h C[9} for any 9 (a property established formally in 
Section |5]), if the first sequent is a premise of an occurrence of the >C rule, the second does 
not need to be used as a premise of that same rule occurrence. Thus, we can limit the set of 
premises to be considered if we can identify with any given nominal abstraction a (possibly 
finite) set of solutions from which any other solution can be obtained through composition 
with a suitable substitution. The following definition formalizes the idea of such a "covering 
set." 

Definition 11. A complete set of nominal abstraction solutions (CSNAS) of s and t on S 
is a set S of substitutions such that 

1. each 9 & S is a solution to s >t, and 

2. for every solution p to s >t, there exists a 9 & S such that p <s 9. 
We denote any such set by CSNAS(T,, s,t) . 

Using this definition we present an alternative version of >C in Figure |3l Note that if we 
can find a finite complete set of nominal abstraction solutions then the number of premises 
to this rule will be finite. 

Theorem 12. The rules >C and CSNAS ^''^^ inter- admissible. 
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Proof. Suppose we have the following arbitrary instance of >C in a derivation: 



{S^ : r|^] h Ciej I is a solution to (s > t)}^ 

S : r,s>thc 

This rule can be replaced with a use of ^^CSNAS i'^stead if we could be certain that, for 
each p G CSNAS(T,, s, t), it is the case that Sp : r[p] h C[p] is included in the set of premises 
of the shown rule instance. But this must be the case: by the definition of CSNAS, each 
such p is a solution to s >t. 

In the other direction, suppose we have the following arbitrary instance of ^'^CSNAS' 



{E^ : Tiej h cie] I e e csnas{j:, s,t)}^ 

E : r,s>t hC 



CSNAS 



To replace this rule with a use of the >£ rule instead, we need to be able to construct a 
derivation of Ep : r[p] h C[p] for each p that is a solution to s >t. By the definition of 
CSNAS, we know that for any such p there exists a 6' G CSiVAS(E, s,t) such that p <e 6*, 
i.e., such that there exists a a for which p f E ^ (^^ f E) • a. Since we are considering 
the application of these substitutions to a sequent all of whose eigenvariables are contained 
in E, we can drop the restriction on the substitutions and suppose that p ^ 6 • a. Now, 
we shall show in Section [5] that if a sequent has a derivation then the result of applying 
a substitution to it in a nominal capture-avoiding way produces a sequent that also has a 
derivation. Using this observation, it follows that E6'cr : r|0][o"] h C|^^]|cr] has a proof. But 
this sequent is permutation equivalent to Ep : r[p] h C[p] which must, again by a result 
established explicitly in Section |5l also have a proof. □ 

Theorem [12] allows us to choose which of the left rules we wish to consider in any given 
context. We shall assume the >C rule in the formal treatment in the rest of this paper, 
leaving the use of the ^'^CSNAS ^^^^ practical applications of the logic. 

3.4- Computing complete sets of nominal abstraction solutions 

For the >Ccsnas rule to be useful, we need an effective way to compute restricted 
complete sets of nominal abstraction solutions. We show here that the task of finding such 
complete sets of solutions can be reduced to that of finding complete sets of unifiers (CSU) for 
higher-order unification problems j25| . In the straightforward approach to finding a solution 
to a nominal abstraction s>t, we would first identify a substitution 6 that we apply to s > t 
to get s' > t' and we would subsequently look for nominal constants to abstract from t' to 
get s' . To relate this problem to the usual notion of unification, we would like to invert this 
order: in particular, we would like to consider all possible ways of abstracting over nominal 
constants first and only later think of applying substitutions to make the terms equal. The 
difficulty with this second approach is that we do not know which nominal constants might 
appear in t' until after the substitution is applied. However, there is a way around this 
problem. Given the nominal abstraction s > t of degree n, we first consider substitutions for 
the variables occurring in it that introduce n new nominal constants in a completely general 
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way. Then we consider all possible ways of abstracting over the nominal constants appearing 
in the altered form of t and, for each of these cases, we look for a complete set of unifiers. 

The idea described above is formalized in the following definition and associated theorem. 
We use the notation CSU{s, t) in them to denote an arbitrary but fixed selection of a complete 
set of unifiers for the terms s and t. 

Definition 13. Let s and t he terms of type ri r and t, respectively. Let 

Ci, . . . , c„ he n distinct nominal constants disjoint from supp(s > t) such that, for 1 < i < n, 
Ci has the type Ti. Let H he a set of variahles and for each /i G S of type t' , let h' he a distinct 
variahle not in S that has type ri — t- . . . — t- r„ — t- r'. Let a = {h' Ci ... Cn/h | /i G S} and 
let s' = s[a] and t' = t[a]. Let 

C = [jCSU{Xb.s',Xb.Xa.t') 

a 

where a = ai, . . . , a„ ranges over all selections ofn distinct nominal constants from supp(t) U 
{c} such that, for 1 < i < n, ai has type Ti and h is some corresponding listing of all the 
nominal constants in s' and t' that are not included in a. Then we define 

S{J:,s,t) = {a»p\peC} 

The use of the substitution a above represents another instance of the application of the 
general technique of raising that allows certain variables (the h variables in this definition) 
whose substitution instances might depend on certain nominal constants (ci, . . . , here) to 
be replaced by new variables of higher type (the h' variables) whose substitution instances 
are not allowed to depend on those nominal constants. This technique was previously used 
in the 3£ and WTZ rules presented in Section [2j 

An important observation concerning Definition [13] is that it requires us to consider all 
possible (ordered) selections ai, . . . , a„ of distinct nominal constants from supp(t) U{c}. The 
set of such selections is potentially large, having in it at least n\ members. However, in 
the uses that we have seen of Q in reasoning tasks, n is typically small, often either 1 or 
2. Moreover, in these reasoning apphcations, the cardinality of the set supp(i(:) U {c} is also 
usually small. 

Theorem 14. 5'(E, s, t) is a complete set of nominal ahstraction solutions for s >t on H. 

Proof. First note that supp(cr) fl supp(s > t) = and thus (s > t) \6\ is equal to (s' > t'). Now 
we must show that every element of ^(S, s,t) is a solution to s > t. Let cr • p G ^(S, s,t) 
be an arbitrary element where a is as in Definition [T3| p is from CSU{Xb.s' , Xb.Xa.t'), and 
s' = s[cr] and t' = t[a]. By the definition of CSU we know {Xb.s' = Xb.Xa.t')[p]. This means 
(s' = Aa.t')[p] holds and thus (s' > ^')[p1 holds. Rewriting s' and f in terms of s and t this 
means (s > t)[(7][p]- Thus a • p is a solution to s>t. 

In the other direction, we must show that if 6* is a solution to s > t then there exists 
0" • p G 5'(S, s, t) such that 6 <£ cr • p. Let 6' be a solution to s>t. Then we know (s > t) {OJ 
holds. The substitution 6 may introduce some nominal constants which are abstracted out 
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E:T,B pthC 
E : T,pthC 



defC 



E-.Th B pt 

E : r h p r 



defR 



Figure 4: Introduction rules for atoms whose predicate is defined as \/x. p x = B p x 



of the right-hand side when determining equahty, so let us call these the important nominal 
constants. Let a = {h' Ci . . . Cn/h | /i G S} be as in Definition [T3] and let vr' be a permutation 
which maps the important nominal constants of 6 to nominal constants from Ci, . . . , c„. This 
is possible since n nominal constants are abstract from the right-hand side and thus there 
are at most n important nominal constants. Then let 6' = 7i'.6, so that {s > holds and 
it suffices to show that 6' <s a • p. Note that all we have done at this point is to rename 
the important nominal constants of 6 so that they match those introduced by a. Now we 
define p' = {Aci . . . Xcn-r/h' \r/h e 9'} so that 6' = a • p'. Thus (s > t)|(T]|p'] holds. By 
construction, a shares no nominal constants with s and t, thus we know (s' > i')Ip'l where 
s' = s[a] and t' = t[a]. Also by construction, p' contains no important nominal constants 
and thus (s' = Aa.t')|p] holds for some nominal constants a taken from supp(t) U {c\. If we 
let 5 be a listing of all nominal constants in s' and t' but not in a, then [Xb.s' = A6.Aa.t')|p] 
holds. At this point the inner equality has no nominal constants and thus the substitution 
p can be applied without renaming: {Xb.s' = Xb.Xa.t')[p'] holds. By the definition of CSU, 
there must be a p G CSU{Xb.s', Xb.Xa.t') such that p' < p. Thus cr«p' <s cr«p as desired. □ 

4. Definitions, Induction, and Co-induction 

The sequent calculus rules presented in Figured] treat atomic judgments as fixed, unana- 
lyzed objects. We now add the capability of defining such judgments by means of formulas, 
possibly involving other predicates. In particular, we shall assume that we are given a fixed, 
finite set of clauses of the form Vx. p x = B p x where p is a predicate constant that takes 
a number of arguments equal to the length of x. Such a clause is said to define p and the 
entire collection of clauses is called a definition. The expression B, called the body of the 
clause, must be a term that does not contain p or any of the variables in x and must have a 
type such that B p x has type o. Definitions are also restricted so that a predicate is defined 
by at most one clause. The intended interpretation of a clause Vx. p x — B p x is that the 
atomic formula p t, where t is a list of terms of the same length and type as the variables in 
X, is true if and only if i? p t is true. This interpretation is realized by adding to the calculus 
the rules defC and defR shown in Figure H] for unfolding predicates on the left and the right 
of sequents using their defining clauses. 

A definition can have a recursive structure. For example, in the clause Vx. p x = B p x, 
the predicate p can appear free in B p x. In this setting, the meanings of predicates are 
intended to be given by any one of the fixed points that can be associated with the definition. 
Such an interpretation may not always be sensible. In particular, without further restrictions, 
the resulting proof system may not be consistent. There are two constraints that suffice to 
ensure consistency. First, the body of a clause must not contain any nominal constants. This 
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x:BSx^Sx S:r,^thC 

xc 

E : r,pt h C 

provided p is defined as Vx. p x = B p x and 5* is a term that has the same type as p 

X].ri St x . S X \ B S X ^^■y^ 

s : r h p r 

provided p is defined as Vx. p x = B p x and S* is a term that has the same type as p 



Figure 5: The induction left and co-induction right rules 



restriction can be justified from another perspective as well: as we see in Section [5l it helps 
in establishing that is a provability preserving equivalence between formulas. Second, 
definitions should be stratified so that clauses, such as a = (a D ±), in which a predicate 
has a negative dependency on itself, are forbidden. While such stratification can be enforced 
in different ways, we use a simple approach to doing this in this paper. This approach is 
based on associating with each predicate p a natural number that is called its level and that 
is denoted by Ivl(p). This measure is then extended to arbitrary formulas by the following 
definition. 

Definition 15. Given an assignment of levels to predicates, the function Ivl is extended to 
all formulas in X-normal form as follows: 

1. M{pi)= Ivl(p) 

2. lvl(±) = Ivl(T) = lvl(s > t) = 

3. lvl(5 AC)= \v\{B VC) = max(lvl(E), Ivl(C)) 

4. lvl(5 dC) = max(lvl(5) + 1, Ivl(C)) 

5. lvl(Vx.5) = Ivl(Vx.fi) = \v\{3x.B) = \v\{B) 

In general, the level of a formula B, written as lvl(i?), is the level of its X-normal form. 

A definition is stratified if we can assign levels to predicates in such a way that Ivl (5 px) < 
\vl{p) for each clause Vx. p x = B p x in that definition. 

The defC and defR rules do not discriminate between any of the fixed points of a def- 
inition. We now allow for the selection of least and greatest fixed points so as to support 
inductive and co-inductive definitions of predicates. Specifically, we denote an inductive 
clause by Vx. p x = B p x and a co-inductive one by Vx. p x = B p x. As a refinement of 
the earlier restriction on definitions, a predicate may have at most one defining clause that 
is designated to be inductive, co-inductive or neither. The defC and defR. rules may be used 
with clauses in any one of these forms. Clauses that are inductive admit additionally the left 
rule XC shown in Figure [5l This rule is based on the observation that the least fixed point of 
a monotone operator is the intersection of all its pre-fixed points; intuitively, anything that 
follows from any pre-fixed point should then also follow from the least fixed point. In a proof 
search setting, the term corresponding to the schema variable S in this rule functions like the 
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induction hypothesis and is accordingly called the invariant of the induction. Clauses that 
are co-inductive, on the other hand, admit the right rule CXTZ also presented in Figure El 
This rule reflects the fact that the greatest fixed point of a monotone operator is the union 
of all the post-fixed points; any member of such a post-fixed point must therefore also be a 
member of the greatest fixed point. The substitution that is used for 5* in this rule is called 
the co-invariant or the simulation of the co-induction. Just like the restriction on the body of 
clauses, in both XL and CXTZ, the (co-) invariant 5* must not contain any nominal constants. 

As a simple illustration of the use of these rules, consider the clause p = p. The desired 
inductive reading of this clause implies that p must be false. In a proof-theoretic setting, we 
would therefore expect that the sequent ■ : p h ± can be proved. This can, in fact, be done 
by using XC with the invariant 5 = _L. On the other hand, consider the clause q = q- The 
co-inductive reading intended here implies that q must be true. The logic Q satisfies this 
expectation: the sequent ■ : ■ h g can be proved using CXTZ with the co-invariant S = T. 

The addition of inductive and co-inductive forms of clauses and the mixing of these 
forms in one setting requires a stronger stratification condition to guarantee consistency. 
One condition that suffices and that is also practically acceptable is the following that is 



taken from |26|: in a clause of any of the forms Vx. p x = B p x, Wx. p x = B p x or 
Vx. p X = B p X, it must be that lvl(i? (Ax.T) x) < Ivl(p). This disallows any mutual 
recursion between clauses, a restriction which can easily be overcome by merging mutually 
recursive clauses into a single clause. We henceforth assume that all definitions satisfy all 
three conditions described for them in this section. Corollary [22] in Section |5] establishes the 
consistency of the logic under these restrictions. 

5. Some Properties of the Logic 

We have now described the logic Q completely: in particular, its proof rules consist of 
the ones in Figures [H 121 H] and El This logic combines and extends the features of several 



logics such as FOX^^ |5|, FOX^^ [l6|, LG^ |27| and Line" |26|. The relationship to 
Line" is of special interest to us below: ^ is a conservative extension to this logic that is 
obtained by adding a treatment of the V quantifier and the associated nominal constants 
and by generalizing the proof rules pertaining to equality to ones dealing with nominal 
abstraction. This correspondence will allow the proof of the critical meta-theoretic property 
of cut-elimination for Line" to be lifted to Q. 

We shall actually establish three main properties of Q in this section. First, we shall 
show that the provability of a sequent is unaffected by the application of permutations of 
nominal constants to formulas in the sequent. This property consolidates our understanding 
that nominal constants are quantified implicitly at the formula level; such quantification 
also renders irrelevant the particular names chosen for such constants. Second, we show that 
the application of substitution in a nominal capture-avoiding way preserves provability; by 
contrast, ordinary application of substitution does not have this property. Finally, we show 
that the cut rule can be dispensed with from the logic without changing the set of provable 
sequents. This implies that the left and right rules of the logic are balanced and, moreover. 
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that the logic is consistent. This is the main result of this section and its proof uses the 
earlier two results together with the argument for cut-elimination for Line". 

Several of our arguments will be based on induction on the heights of proofs. This 
measure is defined formally below. Notice that the height of a proof can be an infinite 
ordinal because the >jC rule can have an infinite number of premises. Thus, we will be using 
a transfinite form of induction. 

Definition 16. The height of a derivation U, denoted by ht(n), is 1 if U has no premise 
derivations and is the least upper bound o/{ht(nj) + ifU has the premise derivations 
where X is some index set. Note that the typing derivations in the rules \/jC and 3TZ 
are not considered premise derivations in this sense. 

Many proof systems, such as Line", include a weakening rule that allows formulas to be 
dropped (reading proofs bottom-up) from the left-hand sides of sequents. While Q does not 
include such a rule directly, its effect is captured in a strong sense as we show in the lemma 
below. Two proofs are to be understood here and elsewhere as having the same structure if 
they are isomorphic as trees, if the same rules appear at corresponding places within them 
and if these rules pertain to formulas that can be obtained one from the other via a renaming 
of eigenvariables and nominal constants. 

Lemma 17. Let II be a proof of : T \- B and let A be a multiset of formulas whose 
eigenvariables are contained in S. Then there exists a proof of H : A,r \- B which has the 
same structure as U. In particular ht(n) = ht(n') and U and U' end with the same rule 
application. 

Proof. The lemma can be proved by an easy induction on ht(n). We omit the details. □ 

The following lemma shows a strong form of the preservation of provability under per- 
mutations of nominal constants appearing in formulas, the first of our mentioned results. 

Lemma 18. Let II be a proof of E : Bi, . . . , Bn \- Bq and let Bi fa for i G {0,1, ... ,n}. 
Then there exists a proof H' of : B[, . . . , B'^ h B'^ which has the same structure asH. In 
particular ht(n) = ht(n') and H and H' end with the same rule application. 

Proof. The proof is by induction on ht(n) and proceeds specifically by considering the last 
rule used in 11. When this is a left rule, we shall assume without loss of generality that it 
operates on Bn- 

The argument is easy to provide when the last rule in 11 is one of A-C or TTZ. If this rule 
is an id, i.e., if H is of the form 

Bj Bq 

id 



E : Bi, . . . ,Bn\- Bq 

then, since ~ is an equivalence relation, it must be the case that B'j ^ B'q. Thus, we can let 
n' be the derivation 

j::B[,...,B'^hB', 
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If the last rule is a >TZ applied to a nominal abstraction s > t then the result follows 
immediately from Lemma [TUl 

In the remaining cases we shall show that the last rule in 11 can also have H : B[, . . . , B'^ \- 
B'q as a conclusion with the premises in this application of the rule being related via permu- 
tations in the way required by the lemma to the premises of the rule application in 11. The 
lemma then follows from the induction hypothesis. 

In the case when the last rule in 11 pertains to a binary connective — i.e., when the rule 
is one of V£, \/7l, AC, ATI, D £ or D 71 — the desired conclusion follows naturally from the 
observation that permutations distribute over the connective. The proof can be similarly 
completed when a 3£, 371, V£ or W7Z rule ends the derivation, once we have noted that 
the application of permutations can be moved under the 3 and V quantifiers. For the cut 
and cC rules, we have to show that permutations can be extended to include the newly 
introduced formula in the upper sequent (s). This is easy: for the cut rule we use the identity 
permutation and for c£ we replicate the permutation used to obtain B!^ from i?„. 

The two remaining rules from the core logic are V£ and V7^. The argument in these 
cases are similar and we consider only the later in detail. In this case, the last rule in 11 is 
of the form 

E:5i,...,5„hC[a/x] 



E : Bi,...,B^hVx.C 



V7Z 



where a ^ supp(C). Obviously, Bq = Vx.C for some C such that C ~ C . Let d be a 
nominal constant such that d ^ supp(C) and d ^ supp(C"). Such a constant must exist since 
both sets are finite. Then C[a/x\ ~ C[d/x\ ~ C'[d/x\. Thus the following 

i::B[,...,B'^^C'{d/x] 

S : h Vx.C ^'^ 

is also an instance of the V7^ rule and its upper sequent has the desired form. 
When the last rule in 11 is >£, it has has the structure 

{Eg -Bile],..., Bn-iie\ h B^ie\ | g is a solution to s > t} 

Here we know that B'^ is a nominal abstraction s' > t' that, by Lemma [TOl has the same 
solutions as s > t. Further, by Lemma [3], Bi\6\ ^ B[\6\ for any substitution 6. Thus 

{^e : B[ie\, . . . , Jg] h B'^ie] | g is a solution to s' \>t'] 
T.:B[,...,s'>t'hB'Q 

is also an instance of the >£ rule and its upper sequents have the required property. 

The arguments for the rules defC and def7l are similar and we therefore only consider 
the case for the former rule in detail. Here, Bn must be of the form p t where p is a predicate 
symbol and the upper sequent must be identical to the lower one except for the fact that Bn 
is replaced by a formula of the form B pt where B contains no nominal constants. Further, 
B'^ is of the form p s where p t ^ p s. From this it follows that B p t B p s and hence 
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that T, : B[, . . . , B'^ \- Bq can be the lower sequent of a rule whose upper sequent is related 
in the desired way via permutations to the upper sequent of the last rule in 11. 

The only remaining rules to consider are XC and CXTZ. Once again, the arguments in 
these cases are similar and we therefore consider only the case for XC in detail. Here, 11 ends 
with a rule of the form 

X : B S x\- S X S: Bi, . . . , S t \- Bq 
S : Bi,...,pt^Bo 

where p is a predicate symbol defined by a clause of the form Vx. p x = B p x and S contains 
no nominal constants. Now, B'^ must be of the form p f where p t p f. Noting the proviso 
on 5", it follows that S t ^ S f. But then the following 

x:BSxhSx B[,...,S B'q 

S:51,...,pfh5^ 

is also an instance of the XC rule and its upper sequents are related in the manner needed 
to those of the XC rule used in 11. □ 

Several rules in Q require the selection of eigenvariables and nominal constants. Lemma fTSl 
shows that we obtain what is essentially the same proof regardless of how we choose nominal 
constants in such rules so long as the local non-occurrence conditions are satisfied. A similar 
observation with regard to the choice of eigenvariables is also easily verified. We shall 
therefore identify below proofs that differ only in the choices of eigenvariables and nominal 
constants. 

We now turn to the second of our desired results, the preservation of provability under 
substitutions. 

Lemma 19. Let U be a proof o/ S : F h C and let 6 be a substitution. Then there is a proof 

n' of^e : r|0] h ciej such that ht(n') < ht(n). 

Proof. We show how to transform the proof LI into a proof LI' for the modified sequent. 
The transformation is by recursion on ht(n), the critical part of it being a consideration of 
the last rule in LI. The transformation is, in fact, straightforward in all cases other than 
when this rule is >C, WTZ, 3C, 371, V£, XC and CXTZ. In these cases, we simply apply the 
substitution in a nominal capture avoiding way to the lower and any possible upper sequents 
of the rule. It is easy to see that the resulting structure is still an instance of the same rule 
and its upper sequents are guaranteed to have proofs (of suitable heights) by induction. 
Suppose that the last rule in LI is an >C, i.e., it is of the form 

{Sp : L|p] h C|p] I p is a solution to s > t} 

S : L,s>i h C - 

Then the following 

{E{e • p') : Tie • p'] h Cie • p'] | p' is a solution to (s > t)|^]} 



T.e:viei{s>tm^cie\ 



>c 
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is also an >C rule. Noting that if p' is a solution to (s > t) {Oj , then ^ • p' is a solution to 

s>t, we see that the upper sequents of this rule are contained in the upper sequents of the 
rule in n. It follows that we can construct a proof of the lower sequent whose height is less 
than or equal to that of 11. 

The argument is similar in the cases when the last rule in H is a yiZ or a 3C so we 
consider only the former in detail. In this case the rule has the form 

j:,h:T h B[hc/x] 
E : r h \/x.B 

where {c} = supp(Vx.-B). Let {a} = supp{(\/x.B)l9j). Further, let h' be a new variable 
name. We assume without loss of generality that neither h nor h' appear in the domain or 
range of 9. Letting p = 6 U {Xc.h' a/h}, consider the structure 

{E,h)p:Tlpj^ B[hc/x]lp] 

w-.m^i^x.Bm 

The upper sequent here is equivalent under A-conversion to T,9,h' : r|^| h a/x] 
so this structure is, in fact, also an instance of the \/Tl rule. Moreover, its upper sequent is 
obtained via substitution from the upper sequent of the rule in U. The lemma then follows 
by induction. 

The arguments for the cases when the last rule is an 3TZ or an VjC are similar and so we 
provide it explicitly only for the former. In this case, we have the rule 

E,/C,Cht:r ^■.ThB\t/x] 

— — -^-^ =17? 

E : r h 3^x.B ^'^ 

ending 11. Let vr be a permutation such that supp(7r.(i?[t/a;])) fl supp(^^) = 0. We assume 
without loss of generality that x does not appear in the domain or range of 6. Then consider 
tliG strvLctjUrG 

Ee,/C,C h {7r.t)[e] : r E^ : r[^] h {7r.B)[e][{7r.t)[e]/x] 

Ee:rieih{3,x.B)iei 

The typing derivation here is well-formed since permutations and substitutions are type 
preserving. Additionally, supp(-B) C snpp{B[t/x]) implies supp(7r.i?) nsupp(^^) = 0, and so 
the conclusion of the lower sequent is equivalent to 3rX.{'n-.B)[9]. Thus this structure is an 
instance of the 371 rule. The term {n.B)[9][{n.t)[9]/x] is equal to {7i.{B[t/x]))[9] which is 
equivalent to (i?[t/a;])[^^]. Thus the upper right sequent is obtained via substitution from 
the upper right sequent of the rule in 11. The lemma then follows by induction. 

The only remaining cases for the last rule are XC and CXIZ. The arguments in these 
cases are, yet again, similar and it suffices to make only the former explicit. In this case, the 
end of n has the form 

x:BSx^Sx H-.T.Sf^C 

xc 

j::r,pt\-c 
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But then the following 



x:BSx^Sx ^9 ■.Tl9j,{S i)l9j^ Cl9j 

^9:n9iipi)m^cm 

is also an instance of the IC rule. Moreover, the same proof as in 11 can be used for the left 
upper sequent and the right upper sequent has the requisite form for using the induction 
hypothesis. □ 

The proof of Lemma [19] effectively defines a transformation of a derivation 11 based on a 
substitution 9. We shall use the notation n|^] to denote the transformed derivation. Note 
that ht(n[6']) can be less than ht(n). This may happen because the transformed version of 
a >£ rule can have fewer upper sequents. 

Corollary 20. The following rules are admissible. 

j:,h:T^ B[ha/x] ^ J:,h : T, B[h a/x] h C 

S : r h \/x.B S : T,3x.B h C 

where /i ^ S and a is any listing of distinct nominal constants which contains supp(-B). 

Proof. Let LI be a derivation for T \- B[h a/x], let h' be a variable that does not appear in LI, 
and let {c} = supp(i?). By Lemma fT9l n[Aa./i' c/h\ is a valid derivation. Since a contains 
c, no nominal constants appear in the substitution {Xa.h' c/h}. It can now be seen that the 
last sequent in UlXa.h' c/hj has the form H, h' : T' \- B' where B' ^ B[h' c/h] and L' results 
from replacing some of the formulas in L by ones that they are equivalent to under ^. But 
then, by Lemma [T8| there must be a derivation for E, /i' : L h B[h' c/h]. Using a V7^ rule 
below this we get a derivation for S : L h \fx.B, verifying the admissibility of V7^*. The 
argument for 3C* is analogous. □ 

We now turn to the main result of this section, the redundancy from a provability per- 
spective of the cut rule in Q. The usual approach to proving such a property is to define a set 
of transformations called cut reductions on derivations that leave the end sequent unchanged 
but that have the effect of pushing occurrences of cut up the proof tree to the leaves where 
they can be immediately eliminated. The difficult part of such a proof is showing that these 
cut reductions always terminate. In simpler sequent calculi such as the one for first-order 
logic, this argument can be based on an uncomplicated measure such as the size of the cut 
formula. However, the presence of definitions in a logic like Q renders this measure inade- 
quate. For example, the following is a natural way to define a cut reduction between a defC 
and a defR rule that work on the cut formula: 

n' n" 

E-.ri- B pt S : 5 p t; A h C n' n" 

S : L h S :pt,A h C E : T ^ B p t S:Ept,AhC 

S:F,AhC ^ S:L,AhC 
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Notice that B pt, the cut formula in the new cut introduced by this transformation, could be 
more complex than p t, the old cut formula. To overcome this difficulty, a more complicated 
argument based on the idea of reducibility in the style of Tait j28j is often used. Tiu and 



Momigliano [26| in fact formulate a notion of parametric reducibility for derivations that is 



based on the Girard's proof of strong normalizability for System F [29( and that works in the 
presence of the induction and co-induction rules for definitions. Our proof makes extensive 
use of this notion and the associated argument structure. 

Theorem 21. The cut rule can be eliminated from Q without affecting the provability rela- 
tion. 

Proof. The relationship between Q and the logic Line" treated by Tiu and Momigliano can 
be understood as follows: Line" does not treat the V quantifier and therefore has no rules for 
it. Consequently, it does not have nominal constants, it does not use raising over nominal 
constants in the rules V7^ and 3£, it has no need to consider permutations in the id (or 
initial) rule and has equality rules in place of nominal abstraction rules. The rules in Q 
other than the ones for V, including the ones for definitions, induction, and co-induction, 
are essentially identical to the ones in Line" except for the additional attention to nominal 
constants. 

Tiu and Momigliano's proof can be extended to ^ in a fairly direct way since the addition 
of nominal constants and their treatment in the rules is quite modular and does not create 
any new complexities for the reduction rules. The main issues in realizing this extension is 
building in the idea of identity under permutations of nominal constants and lifting the Line" 
notion of substitution on terms, sequents, and derivations to a form that avoids capture of 
nominal constants. The machinery for doing this has already been developed in Lemmas [TH] 
andlini In the rest of this proof we assume a familiarity with the argument for cut-elimination 
for Line" and discuss only the changes to the cut reductions of Line" to accommodate the 
differences. 

The id rule in Q identifies formulas which are equivalent under which is more permissive 
than equality under A-convertability that is used in the Line" initial rule. Correspondingly, 
we have to be a bit more careful about the cut reductions associated with the id (initial) 
rule. For example, consider the following reduction: 



B ^ B' n' 
T,B^B'^^ S:5',AhC 

cut 



E:5,r,AhC S:5',AhC 



This reduction has not preserved the end sequent. However, we know B ^ B' and so we 
can now use Lemma dB] to replace LI' with a derivation of S : 5, A h C Then we can use 
Lemma [T71 to produce a derivation of S : 5, L, A h C as desired. The changes to the cut 
reduction when id applies to the right upper sequent of the cut rule are similar. 

The V7^ and 3£ rules of Q extend the corresponding rules of Linc^ by raising over nominal 
constants in the support of the quantified formula. The V£ and 371 rules of Q also extend 
the corresponding rules in Line" by allowing instantiations which contain nominal constants. 
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Despite these changes, the cut reductions involving these quantifier rules remain unchanged 
for Q except for the treatment of essential cuts that involve an interaction between V7^ and 
V£ and, similarly, between 3TZ and 3C The first of these is treated as follows: 

n' n" 

E,h:ThB[hc/x] ^:A,B[t/x]hC U'lXc.t/h] n" 

S:rhVx.E ^'^ S:A,Vx.ghC E:ThB[t/x] S:A,E[t/x]hC 

S : r,A hC ^ S : r,A hC 

The existence of the derivation n'[Ac.t//i] (with height at most that of 11') is guaranteed by 
Lemma [T9l The end sequent of this derivation is E : r[Ac.t//i] \- B[h c/x][Xc.t/h}. However, 
r[Ac.t//i] ~ r because h is new to F and B[h c/x]lXc.t/h} ~ B[t/x] because {c} = supp(-B) 
and so Xc.t has no nominal constants in common with supp(i?). Thus, by Lemma fTSl and by 
an abuse of notation, we may consider n'[Ac.//i] to also be a derivation of : T \- B[t/x]. 
The reduction for a cut involving an interaction between an 3TZ and an 3£ rule is analogous. 

The logic Q extends the equality rules in Line" to treat the more general case of nominal 
abstraction. Our notion of nominal capture-avoiding substitution correspondingly general- 
izes the Line" notion of substitution, and we have shown in Lemma ^\ that this preserves 
provability. Thus the reductions for nominal abstraction are the same as for equality, except 
that we use nominal capture-avoiding substitution in place of regular substitution. For ex- 
ample, the essential cut involving an interaction between an >Tl and an >C rule is treated 
as follows: 

,Sg:AMhCM , 

S : F, A h C ^" S : A h C 

Here we know s>t holds and thus e, the identity substitution, is a solution to this nominal 
abstraction. Therefore we have the derivation as needed. We can then apply Lemma [T71 
to weaken this derivation to one for S : F, A h C For the other cuts involving nominal 
abstraction, we make use of the fact proved in Lemma dni that nominal capturing avoiding 
substitution preserves provability. This allows us to commute other rules with >C. For 
example, consider the following occurrence of a cut where the upper right derivation uses an 
>£ on a formula different from the cut formula: 

H, 

S:Fh5 S:fi,A,s>thC 



cut 



S:F,A,s>thC 
Cut reduction produces from this the following derivation: 

^9 : m h B19} E9:BlelAle]hCl9} 



S0: F|0],A|0] hCiej 



cut 



S:F,A,s>thC 
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Finally, Q has new rules for treating the V-quantifier. The only reduction rule which 
deals specifically with either the VC or VTZ rule is the essential cut between both rules 
which is treated as follows: 

n' n" 

S:r,AhC cut ^ S:r,AhC 

With these changes, the cut-elimination argument for Line" extends to Q, i.e., Q admits 
cut-elimination. 

□ 

The consistency of Q is an easy consequence of Theorem [211 

Corollary 22. The logic Q is consistent, i.e., not all sequents are provable in it. 

Proof. The sequent h _L has no cut-free proof and, hence, no proof in Q. □ 

The cut-elimination theorem is important for more reasons than showing the consistency 
of Q. As one example, using the cut-rule in constructing proofs in Q involves the invention 
of relevant cut formulas that function as lemmas. Thus, knowing that this kind of creative 
step is not essential is helpful in designing automatic theorem provers that are both practical 
and complete. 



6. A Pattern-Based Form for Definitions 

When presenting a definition for a predicate, it is often convenient to write this as a 
collection of clauses whose applicability is also constrained by patterns appearing in the head. 
For example, in logics that support equality but not nominal abstraction, list membership 
may be defined by the two pattern based clauses shown below. 

member X {X :: L) = T member X {Y :: L) = member X L 

These logics also include rules for directly treating definitions presented in this way. In 
understanding these rules, use may be made of the translation of the extended form of 
definitions to a version that does not use patterns in the head and in which there is at most 
one clause for each predicate. For example, the definition of the list membership predicate 
would be translated to the following form: 

member X K = (3L. K = {X :: L)) V (3F3L. K = [Y :: L) ^ member X L) 

The treatment of patterns and multiple clauses can now be understood in terms of the rules 
for definitions using a single clause and the rules for equality, disjunction, and existential 
quantification. 

In the logic the notion of equality has been generalized to that of nominal abstrac- 
tion. This allows us also to expand the pattern-based form of definitions to use nominal 
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abstraction in determining the selection of clauses. By doing this, we would allow the head 
of a clausal definition to describe not only the term structure of the arguments, but also 
to place restrictions on the occurrences of nominal constants in these arguments. For ex- 
ample, suppose we want to describe the contexts in typing judgments by lists of the form 
(ci,Ti) :: {C21T2) nil with the further proviso that each q is a distinct nominal con- 

stant. We will allow this to be done by using the following pattern-based form of definition 
for the predicate cntx : 

cntxnil = T CVx.cntx ((x,T) :: L)) = cntx L 

Intuitively, the V quantifier in the head of the second clause imposes the requirement that, 
to match it, the argument of cntx should have the form {x,T) :: L where a; is a nominal 
constant that does not occur in either T or L. To understand this interpretation, we could 
think of the earlier definition of cntx as corresponding to the following one that does not use 
patterns or multiple clauses: 

cntxK = {K = nil) V (3T3L. {Xx.{x,T) :: L) > K A cntx L) 

Our objective in the rest of this section is to develop machinery for allowing the extended 
form of definitions to be used directly. We do this by presenting its syntax formally, by 
describing rules that allow us to employ such definitions and, finally, by justifying the new 
rules by means of a translation of the kind indicated above. 

Definition 23. A pattern-based definition is a finite collection of clauses of the form 

yx.{Wz.p i) = B p X 

where t is a sequence of terms that do not have occurrences of nominal constants in them, 
p is a constant such that p t is of type and B is a term devoid of occurrences of p, x and 
nominal constants and such that B p t is of type 0. Further, we expect such a collection 
of clauses to satisfy a stratification condition: there must exist an assignment of levels to 
predicate symbols such that for any clause \fx.{\/z.p i) = B p x occurring in the set, assuming 
p has arity n, it is the case that \v\{B (Ax.T) x) < Ivl(p). Notice that we allow the collection 
to contain more than one clause for any given predicate symbol. 

The logical rules for treating pattern-based definitions are presented in Figure [61 These 
rules encode the idea of matching an instance of a predicate with the head of a particular 
clause and then replacing the predicate with the corresponding clause body. The kind of 
matching involved is made precise through the construction of a nominal abstraction after 
replacing the V quantifiers in the head of the clause by abstractions. The right rule embodies 
the fact that it is enough if an instance of any one clause can be used in this way to yield 
a successful proof. In this rule, the substitution 6 that results from the matching must be 
applied in a nominal capture avoiding way to the body. However, since B does not contain 
nominal constants, the ordinary application of the substitution also suffices. To accord with 
the treatment in the right rule, the left rule must consider all possible ways in which an 
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E:rh(j?px)[^] 

for any clause Vx.(V-2.p t) = B p x inV and any 
such that range{9) fl E = and (A£p t)[6'] > p s holds 



Ee-.neiiBpxMhcm 



'ix. {Vz.p i) = B p X G V and 
6* is a solution to {{Xz.p t) >p s) 



defCP 



E : r,ps\- C 

Figure 6: Introduction rules for a pattern-based definition V 

instance of an atomic assumption p s can be matched by a clause and must show that a 
proof can be constructed in each such case. 

The soundness of these rules is the content of the following theorem whose proof also 
makes explicit the intended interpretation of the pattern-based form of definitions. 

Theorem 24. The pattern-based form of definitions and the associated proof rules do not 
add any new power to the logic. In particular, the defC^ and dcfJZ^ rules are admissible 
under the intended interpretation via translation of the pattern-based form of definitions. 

Proof. Let p be a predicate whose clauses in the definition being considered are given by the 
following set of clauses. 

{WXi. {VZi.p ti) ^ BiP Xi}i^i„n 

Let p' be a new constant symbol with the same argument types as p. Then the intended 
interpretation of the definition of p in a setting that does not allow the use of patterns in 
the head and that limits the number of clauses defining a predicate to one is given by the 
clause 

Vy.p y = Y 3xi.{{Xzi.p' U) >p' y) ABip Xi 

iGl..n 

in which the variables y are chosen such that they do not appear in the terms tj for 1 < i < n. 
Note also that we are using the term constructor p' here so as to be able to match the entire 
head of a clause at once, thus ensuring that the V-bound variables in the head are assigned 
a consistent value for all arguments of the predicate. 

Based on this translation, we can replace an instance of defJZ^, 

rh (BipxAW] 

' ^ defRP 

r \- p s 

with the following sequence of rules, where a double inference line indicates that a rule is 
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used multiple times. 



= 37^ 



A7^ 



r h 3xi.{{Xzi.p' U) >p' s}ABip Xj 

r ^ V»6i..n 3fi.((Ai;y tj) >p' s}ABipxi 
r\-ps 



v7^ 

defJZ 



Note that we have made use of the fact that 9 instantiates only the variables Xi and thus 
has no effect on s. Further, the side condition associated with the defR,^ rule ensures that 
the >TZ rule that appears as a left leaf in this derivation is well-formed. 
Similarly, we can replace an instance of defC^, 



{W : riej, {Bi p Xi)iej h Ciej \eisa solution to {{Xz.p ti) > p s)].^^ 

E : r,ps h C 

with the following sequence of rules 

' { r[^], {Bi p Xi)[e\ h C[e\ | ^ is a solution to {{\z.p' U) >p' s)] 



def£P 



r, {Xzj.p' tj) > p' s, Bj p Xj h c 
r, {{Xzi.p' U) >p' s)AB,pXi^C 



r, 3xi.{{Xzi.p' ti) >p' s) ABip Xih c 



AC* 



3£ 



iel..n 



r, Viei..„3fi.((Az-.p' ti) >p' s) ABip Xih C 



r,ps\- c 



defC 



Here AC* is an application of cC followed by A£i and AC2 on the contracted formula. It is 
easy to sec that the solutions to {Xz.p ti) \> p =?and {Xz.p' ti) > p' s arc identical and hence 
the leaf sequents in this partial derivation are exactly the same as the upper sequents of the 
instance of the defC^ rule being considered. □ 

A weak form of a converse to the above theorem also holds. Suppose that the predicate 
p is given by the following clauses 

{Vf j. (Vfj.p ti) = BiP Xi}iel..n 

in a setting that uses pattern-based definitions and that has the defC^ and defRP but not 
the defC and defR, rules. In such a logic, it is easy to see that the following is provable: 



igl..n 



{pyD y 3xi.{{Xzi.p' ti) >p' y)ABip Xi) A 

Y 3xi.{{Xzi.p' ti) >p' y) ABi p XiD p y) 



i&l..n 
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{xi : Bi S Xih Vzi.S ti}i^^ ,^ E ■.r,S c 
S : T,p s h C 

assuming p is defined by tlie set of clauses {Vxj.(Vii.p U) = Bi p Xi}igi..ri 



Figure 7: Induction rule for pattern-based definitions 



Thus, in the presence of cut, the defC and defJZ rules can be treated as derived rules relative 
to the translation interpretation of pattern-based definitions. 

We would like also to allow patterns to be used in the heads of clauses when writing 
definitions that are intended to pick out the least and greatest fixed points, respectively. 
Towards this end we admit in a definition also clauses of the form \/x.{Vz.p t) = B p x and 
yx.{Wz.p i) = B p X with the earlier provisos on the form of B and t and the types of B 
and p and with the additional requirement that all the clauses for any given predicate are 
unannotated or annotated uniformly with either fi or u. Further, a definition must satisfy 
stratification conditions as before. In reasoning about the least or greatest fixed point forms 
of definitions, we may use the translation into the earlier, non-pattern form together with 
the rules IC and CXTZ. It is possible to formulate an induction rule that works directly 
from pattern-based definitions using the idea that to show S to be an induction invariant for 
the predicate p, one must show that every clause of p preserves S. A rule that is based on 
this intuition is presented in Figure [71 The soundness of this rule is shown in the following 
theorem. 

Theorem 25. The XC^ rule is admissible under the intended translation of pattern-has ed 
definitions. 

Proof. Let the clauses for p in the pattern-based definition be given by the set 

{\/Xi.{Vzi.p ti) = Bip fi}iei„n 
in which case the translated form of the definition for p would be 

\/y.p y=\J ^Xi.{{\zi.p' ti) >p' y) ABip Xi. 

iGl..n 

In this context, the rightmost upper sequents of the XC^ and the XC rules that are needed 
to derive a sequent of the form :r,p s\- C are identical. Thus, to show that XC^ rule is 
admissible, it suffices to show that the left upper sequent in the XC rule can be derived in 
the original calculus from all but the rightmost upper sequent in an XC^ rule. Towards this 
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end, we observe that we can construct the following derivation: 

' { (y, x,)e : {B, p X,) jej h {S y) {9} | g is a solution to {{\z.p' U) >p' y)] 
y, Xi : (Ai-y ti) >p'y,BiSxi\-Sy 

AC* 



y, Xi : {{\zi.p' U) > p' y) A Bi p Xi \- S y 
y : 3xi.{{\zi.p' ti) > p' y) A Bi S Xi \- S y 



iel..n 

— V£ 



y : Viei..n 3f».((Az,y U) >p'y)AB,Sx^hSy 

Since the variables y are distinct and do not occur in ti, the solutions to {Xz.p' ti) >p' y have 
a simple form. In particular, let be the result of replacing in ti the variables z with distinct 
nominal constants. Then y = t^i will be a most general solution to the nominal abstraction. 
Thus the upper sequents of this derivation will be 

Xi'. Bi p Xi'r S Hi 

which are derivable if and only if the sequents 

Xi : Bi p Xi \- Vzi.S ti 

are derivable. □ 

We do not introduce a co-induction rule for pattern-based definitions largely because we 
have encountered few interesting co-inductive definitions that require patterns and multiple 
clauses. 

7. Examples 

We now provide some examples to illuminate the properties of nominal abstraction and 
its usefulness in both specification and reasoning tasks; while Q has many more features, their 
characteristics and applications have been exposed in other work {e.g., see 0, S, Iso], 31|)- 



In the examples that are shown, use will be made of the pattern-based form of definitions 
described in Section |6l We will also adopt the convention that tokens given by capital letters 
denote variables that are implicitly universally quantified over the entire clause. 

7.1. Properties ofV and freshness 

We can use nominal abstraction to gain a better insight into the behavior of the V 
quantifier. Towards this end, let the fresh predicate be defined by the following clause. 

(Vx. fresh x E) = T 

We have elided the type of fresh here; it will have to be defined at each type that it is 
needed in the examples we consider below. Alternatively, we can "inline" the definition 
by using nominal abstraction directly, i.e., by replacing occurrences of of fresh ti t2 with 
3E.{\x.{x, E) > (ti,t2)) for a suitably typed pairing construct (■, ■). 



32 



T^x:a rh(tit2):& T ^ {Xx:a. t) : a ^ b ^ ^ ' 

Figure 8: Type assignment for A-terms 

Now let 5 be a formula whose free variables are among z,Xi, . . . , Xn, and let x = Xi 
. . . :: Xn nil where :: and nil are constructors in the logicH Then the following formulas 
logically imply one another in Q. 

Vz.B 3z. {fresh z x A B) "^z. {fresh z x D B) 

Note that the type of z allows it to be an arbitrary term in the last two formulas, but its 
occurrence as the first argument of fresh will restrict it to being a nominal constant (even 
when X = nil). 



In the original presentation of the V quantifier [32|, it was shown that one can move a 
V quantifier inwards over universal and existential quantifiers by using raising to encode an 
explicit dependency. To illustrate this, let i? be a formula with two variables abstracted out, 
and let C = D be shorthand for {C D D) A {D D C) . The following formulas are provable 
in the logic. 

Vz.Wx.{B z x)= Wh.Vz.{B z {h z)) Vz3x.{B z x) = 3h.Vz.{B z {h z)) 

In order to move a V quantifier outwards over universal and existential quantifiers, one would 
need a way to make non-dependency {i.e., freshness) explicit. This is now possible using 
nominal abstraction as shown by the following equivalences. 

Wx.'Vz.{B z x) = V zS/x. {fresh z x D B z x) 
3x.'Vz.{B z x) = Vz.3x. {fresh z x A B z x) 

Finally, we note that the two sets of equivalences for moving the V quantifier interact nicely. 
Specifically, starting with a formula like Vz.\/x.{B z x) we can push the V quantifier inwards 
and then outwards to obtain Vz.\/h. {fresh z {h z) D B z {h z)). Here fresh z {h z) will only 
be satisfied if h does not use its first argument, as expected. 

7.2. Type uniqueness for the simply-typed X-calculus 

As a more complete example, we consider the problem of showing the uniqueness of type 
assignment for the simply-typed A-calculus. The typing rules used in the assignment are 
shown in Figure O We introduce the type tp to denote the collection of simple types and 
the constants i : tp to represent the (single) atomic type and arr : tp ^ tp ^ tp to represent 
the function type constructor. Representations of A-terms will have the type tm and will be 



^We are, once again, finessing typing issues here in that the Xi variables may not all be of the same type. 
However, this problem can be solved by surrounding each of them with a constructor that yields a term with 
a uniform type. 
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member P {P :: L) = T 

member P {Q :: L) = member P L 

ofLX A = member (X, A) L 

ofL {app M N) 3A.of L M {arr A B) A of L N A 
ofL (absAR) {arr A B) = Vx.of((x,A) :: L) {R x) B 

Figure 9: Encoding of type assignment for A-terms 

cntx nil = T 
(Vx.cntx {{x,A) :: L)) = cntx L 

Figure 10: cntx in Q 

constructed using the constants app : tm tm — )■ tm and abs : ty — )■ [tm — )■ tm) tm 
that are chosen to represent apphcation and abstraction, respectively. Finally we introduce 
a type a for typing assumptions together with the constant (■, ■) : tm tp ^ a, and the 
type alist for hsts of typing assumptions constructed from the constants nil : alist and 
the infix constant :: of type a alist — )■ alist. We define the predicate member of type 
a — alist — )■ o and encode the simple typing of A-terms in the definition of a predicate of 
with type alist — )• tm — )■ — o as shown in Figure [H Note here that the side-condition on 
the rule for typing abstractions is subsumed by the treatment of V in the logic. 

Given this encoding of simple typing, the task of showing the uniqueness of type assign- 
ment reduces to proving the following formula: 

Vt, a, b. {of nil t a A of nil t b) D a = b. 

While the theorem that is ultimately of interest is stated with a nil context, it is not difficult 
to see that in an inductive proof we will have to consider the more general case where this 
context is not empty. However, the typing context is not entirely arbitrary. It must have the 
form {xi, ai) ::...:: (a;„, a„) :: nil where each Xi is unique and atomic (a nominal constant). 
If we assume a predicate cntx which restricts the structure of typing contexts in this way, 
then we can state our generalized result as follows. 

V£, t, a, b.{cntx iAof£taAof£tb)Da = b 

This is now provable by a straightforward induction on either of the typing assumptions. 

We turn now to the question of defining a suitable cntx predicate. Using nominal abstrac- 
tion, we can define cntx directly and succinctly as shown in Figure (TUl An instance of the 
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cntx nil = T 

cntx ((X, A)::L) = (VM, N.X = app M N D ±) A 
(Vi?, B.X = absB Rd ±)A 
{WB.member {X, B) L D ±) A 
cntx L 

Figure 11: cntx in LG" 

second clause must replace x with a nominal constant and A and L by terms which do not 
contain that nominal constant. The atomicity and distinct properties of typing assumptions 
follow naturally from this. To better appreciate the elegance of this approach, consider how 
one would enforce atomicity and distinctness without nominal abstraction. In a logic such 
as LG^, the restrictions imposed by cntx would have to be encoded via negative information 
as shown in Figure [TTJ This description of typing contexts is cumbersome and non-modular. 
For example, if we were to add a new constructor for A-terms and a typing rule associated 
with this constructor then, even though the structure of typing contexts has not changed, 
we would need to change cntx to rule out this constructor from occurring in typing contexts. 
We will use the definition of cntx with nominal abstraction going forward. 

When proving the generalized type uniqueness property, the typing context becomes 
important at two points: when considering the base case where a typing assumption is 
looked up in the context, and when extending the context with a new typing assumption. 
When a typing assumption is found in the context, we must show that it is unique. The 
definition of cntx describes the structure of typing assumptions that occur at the head of a 
context, and the following lemma uses induction to generalize this to arbitrary elements of 
the context. 

V£, m, a, b.{cntx i A member (m, a) i A member (m, b) i) D a = b 

This property can be shown by induction on cntx followed by case analysis on the member 
hypotheses. The interesting case is when we have i = {m,a) :: i' and member {m,b) i'. 
Applying defR'^ to cntx ((m, a) :: £') in this case replaces m with a nominal constant that i' 
cannot contain. The assumption that member (m, b) i' then leads to a contradiction, thus 
eliminating this case. Moving on to the second point, when adding a typing assumption to 
the context, we need to show that the resulting context still satisfies the cute predicate. This 
boils down to showing the following. 

"^ijQ-lcntx i D Vx.cntx {{x,a) :: i)) 

This follows directly from applying defR^ to cntx. With these issues taken care of, the rest 
of the type uniqueness proof is straightforward. 

In order for the above reasoning to be meaningful, we must show that our encoding of 
the simply-typed A-calculus is adequate. The crux of this is showing that F h t : a holds in 
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the simply-typed A-calculus if and only if h of^T~^ '"t"' '"a"' is provable in Q. Here is a 
bijective mapping between objects of the simply-typed A-calculus and their representation 
in Q. Since Q admits cut-elimination, it is straightforward to analyze how h ofT^ ''t'^ '~a~^ 
might be proven in the logic. Then the only subtlety in showing adequacy is that the first 
clause for of allows the type of any object to be looked up in the context while the first typing 
rule for simply-typed A-calculus only allows the type of variables to be looked up. This is 
resolved by noting that typing contexts only contain bindings for variables. Alternatively, 
using nominal abstraction, it is possible to give a definition of typing which is closer to the 
original rules (Figure [8]) by replacing the first clause of of with the following. 

(Vx.of (L x) X A) = \/x. member (x. A) (L x) 

An additional benefit of this encoding is that in proofs such as for type uniqueness we no 
longer need to consider spurious cases where the type of a term such as app m n is looked 
up in the typing context. 

We can now put everything together to establish the type uniqueness result for the 
simply- typed A-calculus. Suppose T \- t : a and T \- t : b are judgments in the simply-typed 
A-calculus. Then by adequacy we know h of '"F"' '"t"' '"a"' and h of '"F"' '"t"' '"6"' are provable 
in Q. Using these assumptions, the cut rule, and the type uniqueness result proved earlier in 
Q, we know that h '"a"' = '"6"' has a proof in Q. Thus it also has a cut-free proof. This proof 
must end with with >TZ which means that '"a"' is equal to '"6"'. Finally, since is bijective, 
a must equal b. 

7.3. Polymorphic type generalization 

In addition to reasoning, nominal abstraction can also be useful in providing declarative 
specifications of computations. We consider the context of a type inference algorithm that 



is also discussed in [33[ to illustrate such an application. In this setting, we might need a 
predicate spec that relates a polymorphic type a, a list of distinct variables a (represented 
by nominal constants) and a monomorphic type r just in the case that a = \ld.T. Using 
nominal abstraction, we can define this predicate as follows. 

spec [monoTy T) nil T = T 
(Vx.spec (polyTyP) {x :: L) {T x)) = Vx .spec {P x) L {T x). 

Note that we use V in the head of the second clause to associate the variable x at the head 
of the list L with its occurrences in the type (T x). We then use V in the body of this clause 
to allow for the recursive use of spec. 

7.4. Arbitrarily cascading substitutions 

Many reducibility arguments, such as Tait's proof of normalization for the simply typed 



A-calculus [28|, are based on judgments over closed terms. During reasoning, however, one 
has often to work with open terms. To accommodate this requirement, the closed term judg- 
ment is extended to open terms by considering all possible closed instantiations of the open 
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terms. When reasoning with Q, open terms are denoted by terms with nominal constants 
representing free variables. The general form of an open term is thus M ci ■ ■ ■ Cn, and we 
want to consider all possible instantiations M Vi ■ ■ ■ Vn where the Vi are closed terms. This 
type of arbitrary cascading substitutions is difficult to realize in reasoning systems where 
variables are given a simple type since M would have an arbitrary number of abstractions 
but the type of M would a priori fix that number of abstractions. 

We can define arbitrary cascading substitutions in Q using nominal abstraction. In 
particular, we can define a predicate which holds on a list of pairs (cj,^), a term with 
the form M Ci ■ ■ ■ Cn and a term of the form M Vi ■ ■ ■ Vn- The idea is to iterate over 
the list of pairs and for each pair (c, V) use nominal abstraction to abstract c out of the 
first term and then substitute V before continuing. The following definition of the predicate 
subst is based on this idea. 

subst nil T T = T 
{Vx. subst ((x, V)::L) (T x) S) = subst L [T V) S 

The ideas in this substitution predicate have been used to formalize Tait's logical relations 
argument for the weak normalization of the simply-typed A-calculus in a logic similar to 
Q [19]. Here, an important property of arbitrary cascading substitutions is that they act 
compositionally. For instance, taking the slightly simpler example of the untyped A-calculus, 
we can show that subst acts compositionally via the following lemmas. 

Wi, t, r, s. subst i (app t r) s D 3u, v.{s = app u v A subst ituA subst i r v) 
Wi, t, r. subst i (abs t) r D 3s. (r = abs s A Vz. subst i {t z) (s z)) 

Both of these lemmas have straightforward proofs by induction on subst. 



8. Related Work 

We structure the discussion of related work into three parts: the previously existing 
framework that Q builds on, alternative proposals for treating binding in syntax and different 
approaches for relating specifications of formal systems and reasoning about them. 

8.1. The precursors for Q 

The logic Q that we have described in this paper provides a framework for intuitionistic 
reasoning that is characterized by its use of typed A-terms for representing objects, of a 
fixed-point notion of definitions with associated principles of induction and co-induction, of 
the special V-quantifier to express generic judgments and of nominal abstraction for making 
explicit the properties of objects captured by the V-quantifier. All these features except 
the last derive from previously described logics. The style in which definitions are treated 
originates from work by Schroeder-Heister 34 1 and Girard j^. McDowell and Miller used 



this idea within a fragment of the Simple Theory of Types and added to this also a treatment 
of induction over natural numbers jsf. The resulting logic, called FOA^^, provides a means 
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for reasoning about specifications of computations over objects involving abstractions in 
which universally quantified judgments are used to capture the dynamic aspects of such 
abstractions. While such an encoding suffices for many purposes, Miller and Tiu discovered 
its inadequacy in, for example, treating the distinctness of names in arguments relating 
to the TT-calculus and they developed the logic FOX^^ with the new V-quantifier as a 
vehicle for overcoming this deficiency Tiu then showed how to incorporate inductive 
and co-inductive forms of definitions into this context [8|. However, the properties initially 
assumed for the V-quantifier were too weak to support sophisticated forms of reasoning 
based on (co-) induct ion, and this led to the addition of the V-strengthening and V-exchange 
principles [l8|. The logic that is a composite of all these features still lacks the ability, 
often needed in inductive arguments, to make explicit in a systematic way properties such 
as the freshness and distinctness of nominal constants {i.e., the variables bound by the 
V-quantifier). Nominal abstraction, whose study has been the main focus of this paper, 
provides a natural means for reflecting such properties into definitions and as such represents 
a culmination of this line of development. 

The exchange property assumed for the V-quantifier appears to have a natural justi- 
fication. On the other hand, the strengthening property, while useful in many reasoning 
contexts, brings with it the implicit requirement that the types at which V-quantifiers are 
used be inhabited by an unbounded number of members. This assumption may complicate 
the process of showing the adequacy of an encoding, an important part of using a logical 
framework in formalizing the properties of a computational system. The observation con- 
cerning adequacy has led Baelde to develop an alternative approach to enriching the structure 
provided by FOA^^ 35|, l36|. Specifically, he has proposed treating the V-quantifier as a 



defined symbol, including in its definition also the ability to lift its predicative effect over 
types. The exchange property for the quantifier follows from this enrichment, while the 
properties (Vx.P) D P and P D (Vx.P) where x does not occur in P are shown to hold 
for certain syntactic classes of formulas. The resulting logic has a domain of application 
that overlaps with that of Q but, in our opinion, may not be as convenient to use in actual 
reasoning tasks. A detailed consideration of this issue and also the quantification of the real 
differences in adequacy arguments are left for future investigation. 

8.2. Nominal logic 

The V-quantifier of Q bears several similarities to the l/l-quantifier contained in nominal 



logic. As presented in [37[, nominal logic is, in essence, a variant of first-order logic whose 
defining characteristics are that it distinguishes certain domains as those of atoms or names 
and takes as primitive a freshness predicate — denoted by the infix operator # — between 
atoms and other objects and a swapping operation involving a pair of names and a term. 
The logic then formalizes certain properties of the swapping operation (referred to as equiv- 
ariance properties) and of freshness. One of the freshness axioms leads to the availability 
of an unbounded supply of names, an aspect that is reminiscent of the consequence of the 
strengthening rule associated with the V-quantifier. Letting be a formula whose free vari- 
ables where a is of atom type, another consequence of the swapping and 
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freshness axioms is the following equivalence: 



3a.(a#Xi A ... A A 0) = ^a.^a^Xi A ... A a#x„ D 0) 

The l/l-quantifier can be defined in this setting by translating l/la.0 into either one of the 
formulas shown in this equivalence. In our presentation of Q, we have taken the V-quantifier 
to be primitive and we have shown that we can define a fresh predicate using nominal 
abstraction. As we have seen in Section I7.H we then get a set of equivalences between V, 
the traditional quantifiers and fresh that is reminiscent of the one discussed here involving 
the l/l-quantifier. 

At a deeper level, there appears to be some convergence in the treatment of syntax 
between the nominal logic approach and the one supported by Q using A-terms. For example, 
both make use of self-dual quantifiers to manage names and both provide predicates for 
freshness, equality, and inequality on names. Probably the most fruitful way to compare these 
approaches in detail is via their respective proof theories: see 38|, |39|| for some proof theory 
developments for nominal logics. To illustrate such a convergence, we note that nominal 
logic has inspired a variant to logic programming in the form of the aProlog language [ssl]. 
The specifications written in aProlog have a Horn clause like structure with the important 
difference that the l/l-quantifier is permitted to appear in the head. Clauses of this kind bear 
a resemblance to the pattern-based form of definitions discussed in Section |6] in which the 



V-quantifier may appear at the front of clauses. In fact, it is shown in [40[ that the former 
can be directly translated to the latter. The animation of such definitions in Q through the 
defR^ rule requires the solution of nominal abstraction problems that is similar in several 



respects to the equivariant unification j41| needed in an interpreter for aProlog. 

These similarities notwithstanding, the intrinsic structures of nominal logic and Q are 
actually quite different. The former logic is first-order in spirit and does not include a binding 
construct at the outset. While it is possible to define a (first-order) binding constructor in 
nominal logic that obeys the principle of a-equivalence, the resulting binder is not capable 
of directly supporting A-tree syntax. In particular, /3-equivalence is not internalized with 
these terms: as a consequence, term-level substitution has to be explicitly formalized and 
its formal properties need to be established on a case-by-case basis. While such a first-order 
encoding has some drawbacks from the perspective of treating binding structure, it has the 
benefit that it can be more easily formalized within the logic of existing theorem provers 



such as Coq and Isabelle/HOL j42|, |43|, |44 



8. 3. Separation of specification and reasoning logics 

An important envisaged use of Q is in realizing the two-level approach to reasoning about 
the operational semantics of programming languages and process calculi. The first step in 
this approach is to use a specification logic to encode such operational semantics as well 
as assortments of other properties such as typing. The second step involves embedding 
provability of this first logic into a second logic, called the reasoning logic. This two level- 



logic approach, pioneered by McDowell and Miller [30|,|45|, offers several benefits, such as the 



ability to internalize into the reasoning logic properties about derivations in the specification 
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logic and to use these uniformly in reasoning about the specifications of particular systems. 
For example, cut-elimination for the specification logic can be used to prove substitution 
lemmas in the reasoning logic. Another benefit is that A-tree syntax is available for both 
logics since the specification logic is a simple definition within the reasoning logic. Part of our 
motivation for Q was for it to play the role of a powerful reasoning logic. In particular, Q has 
been provided an implementation in the Abella system |2l| . Given the richer expressiveness 
of ^, it was been possible to redo the example proofs in |30| in a much more understandable 
way 
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Pfenning and Schiirmann 47|] also describe a two-level approach in which the terms and 
types of a dependently typed A-calculus called LF are used as specifications and a logic 
called A^2 is used for the reasoning logic. Schiirmann's PhD thesis 48|] further extended that 



reasoning logic to one called Ai^- This framework is realized in the Twelf system 15|], which 



also provides a related style of meta-reasoning based on mode, coverage, and termination 
checking over higher-order judgments in LF. This approach makes use of A-tree syntax at 
both the specification and reasoning levels and goes beyond what is available with Q in that 
it exploits the sophistication of dependent types that also provides for the encoding of proof 
objects. On the other hand, the kinds of meta-level theorems that can be proved in this 
setting are structurally weaker than those that can be proved in Q. For example, implication 
and negation are not present in A^^ and cannot be encoded in higher-order LF judgments. 
Concretely, this means that properties such as bisimulation for CCS or the vr-calculus are 
not provable in this approach. 

A key component in A^^ and in the higher-order LF judgment approach to meta- 
reasoning is the ability to specify invariants related to the structure of meta-logical contexts. 
These invariants are called regular worlds and their analogue in our system is judgments such 
as cntx which explicitly describe the structure of contexts. While the approach to proving 
properties in Twelf is powerful and convenient for many applications, it may be preferable 
to have the ability to define invariants such as cntx explicitly rather than relying on regular 
worlds, since this allows more general judgments over contexts to be described, such as in the 
example of arbitrary cascading substitutions (Section [7.4p where the subst predicate actively 
manipulates the context of a term. 
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